Back in September, we learned that a flaw in WhatsApp, the popular cross-platform mobile messaging app, allowed cybercriminals to hijack user accounts. According to experts, these types of attacks are still possible, despite the fact that the company has recently made some changes.
Initially, the problem stemmed from the fact that the application used device IMEI numbers (on Android) and Wi-Fi interface MAC addresses (on iOS) to generate passwords.
Since these pieces of information can be obtained fairly simply, attackers could have easily hijacked accounts with the aid of the WhatsAPI PHP library, which has been specially adapted for this purpose.
After the updates made by WhatsApp, web clients that relied on the WhatsAPI library no longer worked. In theory, this meant that the issue was addressed, but the company didn’t provide any details regarding the changes it made.
However, The H reports
that a user has provided security firm heise with a script that restored the WhatsAPI library to operation, implicitly re-enabling the attack method.
heise Security has offered to provide WhatsApp with all the details of the vulnerability, but the company’s representatives have failed to respond.